Re: Non-root chroot

On Fri, 1 Aug 2025 17:04:24 -0500
Jason Bacon <bacon4000@gmail.com> wrote:

> > What you want is called jail(8) and it was designed quarter of century
> > ago exactly to overcome chroot() problems:
> > https://papers.freebsd.org/2000/phk-jails/
> > (because one cannot just fix chroot)
> > 
> > Nowadays, there are many jail wrappers so your task of same user
> > unpriviliged user inside is highly likely solved already.
> >   
> 
> I'm aware of jails, which I use regularly for poudriere testing, but I'm 
> under the impression that they also require root privileges at some 
> level.  To be clear, are you saying that a non-privileged user, with no 
> ability to edit system files or change sysctls can create a jail in user 
> space with no assistance from the sysadmin?  So far I have not found a 
> way to do this.

I did not even look for exactly this requirement, but e.g. page
https://wiki.freebsd.org/JailingGUIApplications has example of sudo settings
and in first paragraphs refers to forum post which uses e.g. jailme utility
(and also iocage, some of many jail wrappers I've mentioned above; other
popular manager is cbsd); may be some of them can do what you want, check
yourself.

> Ultimately I would like the tools I'm developing to be usable by 
> scientific researchers using institutionally-managed, shared systems, 
> where enabling something like security.bsd.unprivileged_chroot is not 
> possible for the user and probably a good idea anyway.

You need to be sure user alaways passed `-n` to chroot utility to have
jailbreaking non-possible, which is of course not guaranteed until you trust
your users to give them root anyway.

-- 
WBR, @nuclight